From owner-freebsd-current@FreeBSD.ORG  Sun Nov 27 15:45:36 2011
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 1233)
	id 15A471065679; Sun, 27 Nov 2011 15:45:36 +0000 (UTC)
Date: Sun, 27 Nov 2011 15:45:36 +0000
From: Alexander Best <arundel@freebsd.org>
To: freebsd-current@freebsd.org
Message-ID: <20111127154536.GA54043@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Cc: freebsd-net@freebsd.org
Subject: possible array out of bounds access in sys/netinet/sctp_output.c
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Nov 2011 15:45:36 -0000

hi there,

i've been playing with clang tot and noticed the following error:

/usr/local/bin/clang -c -O3 -pipe -fno-inline-functions -fno-strict-aliasing -march=core2 -std=c99 -g -fdiagnostics-show-option -fformat-extensions -Wall  -Wcast-qual -Winline -Wmissing-include-dirs  -Wmissing-prototypes -Wnested-externs -Wpointer-arith  -Wredundant-decls -Wstrict-prototypes -Wundef  -Wno-pointer-sign -nostdinc  -I. -I/usr/git-freebsd-head/sys -I/usr/git-freebsd-head/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h  -fno-omit-frame-pointer -mno-aes -mno-avx -mcmodel=kernel -mno-red-zone -mno-mmx -msoft-float  -fno-asynchronous-unwind-tables -ffreestanding -Wno-error=tautological-compare -Wno-error=shift-count-negative  -Wno-error=shift-count-overflow -Wno-error=shift-overflow -Wno-error=conversion  -Wno-error=empty-body -Wno-error=gnu-designator -Wno-error=format  -Wno-error=format-invalid-specifier -Wno-error=format-extra-args -Werror  /usr/git-freebsd-head/sys/netinet/sctp_output.c
clang: warning: argument unused during compilation: '-fformat-extensions'
/usr/git-freebsd-head/sys/netinet/sctp_output.c:4685:2: error: array index 1 is past the end of the array (which contains 1 element) [-Werror,-Warray-bounds]
        sup_addr->addr_type[1] = htons(SCTP_IPV6_ADDRESS);
        ^                   ~
/usr/git-freebsd-head/sys/netinet/sctp_header.h:84:2: note: array 'addr_type' declared here
        uint16_t addr_type[SCTP_ARRAY_MIN_LEN]; /* array of supported address
        ^
1 error generated.
*** Error code 1

Stop in /usr/obj/usr/git-freebsd-head/sys/GENERIC.
*** Error code 1

Stop in /usr/git-freebsd-head.
*** Error code 1

Stop in /usr/git-freebsd-head.

this is from a GENERIC kernel build (so INET + INET6) for amd64. is this a
false positive, or is length(sup_addr->addr_type) really == 1, thus making
sup_addr->addr_type[1] an illegal access?

cheers.
alex